The CryptoPHP Infection - A Story About Getting Paid Themes and Plugins for Free

A few of our email servers went wild sending spam this weekend. After quickly fixing the spam issue, we started the longer process of identifying the cause for the spam. It turned out to be the CryptoPHP infection (check out the official whitepaper), activated through a few WordPress themes and plugins.

What is CryptoPHP infection?

The CryptoPHP infection was detected a long time ago, but seems to have been more frequently exploited over the last few months. Hackers who use that method to exploit websites, take paid WordPress, Joomla and Drupal themes and extensions, remove the code blocks that verify a certain extension/theme is licensed, and then distribute them for free. Such versions of extensions/themes are called nulled scripts.

The modified themes/extensions usually contain malicious code that provides full access to the infected sites to the hacker. Inside a nulled theme/extension there is a line of code that looks similar to this:

<?php include('assets/images/social.png'); ?>

Most PHP developers will immediately notice that this code block looks strange. The PHP directive includes a file, which should contain PHP code. However, in this case the file is an image and it contains malicious code, which is usually obfuscated. The malicious code is used for various purposes like black-hat SEO attacks and other, such as on our servers, sending spam.

What we did?

First, we scanned our servers to identify how many sites were infected and we limited the access to the nulled scripts. This means that such malicious files will not run as expected on our servers and hackers will not be able to use them to access sites hosted on our infrastructure.
Second, we are in the process of applying a server-wide protection to make sure any future attempts like the CryptoPHP infection are prevented.

What You should do?

As we cannot establish the full scope of the damages that the infection might have incurred, we sent an email to all infected users asking them to do two things:

  1. Check the list of users to their applications for admins they do not recognize and delete them. The admin user has full access to your site and if that user is not created by you for a trusted person, it is most probably created by the hacker.
  2. Run an audit of your websites for possible backdoors left by the hackers, which means – look for unknown files that are not supposed to be on your account.
    We also strongly recommend you never to download free extensions and themes that are supposed to be paid. No matter what type of software you download, make sure you do it from a reputable source.

We also encourage you to share the information about this vulnerability and why using free themes that are supposed to be paid is not a good idea. This will help create awareness and protect more websites from the infection.

Access email sent!

Sign Up For
More Awesome Content!

Subscribe to receive our monthly newsletters with the latest helpful content and offers from SiteGround.


Please check your email to confirm your subscription.

author avatar

Daniel Kanchev

Director Product Development

Daniel is responsible for bringing new products to life at SiteGround. This involves handling all types of tasks and communication across multiple teams. Enthusiastic about technology, user experience, security and performance, you can never be bored hanging around him. Also an occasional conference speaker and travel addict.

Comments ( 8 )

author avatar


Nov 27, 2014

if we removed the " " line and scaned the files/script with Wordfence , and the results is ( no viruses or malware) , there will be ok? thank you in advance Ionut

author avatar

Hristo Siteground Team

Nov 28, 2014

If you remove it completely from all infected files you should be fine. However, a full security audit is recommended when such issue is detected because you don't know what else they have inserted in your code.

author avatar


Nov 29, 2014

A story about getting paid themes and plugins for free. You found the right title, hahaha :)

author avatar

Lynn Allen

Dec 05, 2014

I don't know if our issue was related to this, as we were using the Fanwood theme, downloaded from But today I was unable to log in, and in looking at the Wordpress code, I found a "new" admin had logged in a week ago...someone I have never heard of. I wonder if that was the hacker. I am glad you all found and squashed this, even though it made me unable to log in to the site. I removed that Wordpress installation and made a new one. Should I do a full security audit anyway?

author avatar

Hristo Siteground Team

Dec 06, 2014

If you've completely wiped out everything you had in your public_html folder then you won't need to do it but if you've removed only the app I would recommend you to do a security audit just to be sure there isn't any leftovers. If there isn't any valuable data in your account, you can post a ticket in your Help Desk and request your account to be re-created. This way you will get it as if you've signed up today :)

author avatar


Dec 12, 2014

I'd bought a theme from a premium ThemeForest developer for $63 for my site. It got hit, so it's not just nulled themes and plugins. All updates are done twice weekly. The developer swears it's not the theme but other users have the same issue on her forum. Had to rebuild the site with another theme. BTW Daniel - What scanner / protection do you suggest? WordFence, Sucuri etc. don't catch malicious php and going through code line by line on 50 sites......(NO, I don't use nulled themes) Thanks

author avatar

Daniel Kanchev Siteground Team

Dec 15, 2014

Hi Graham, Every attack is unique and probably your site has been affected by another popular WP vulnerability. If your site is hosted on one of our servers please post a support ticket and we'll check the case in details. Also make sure that all of your plugins are updated.

author avatar


Jan 18, 2015

@ Graham I've been using 'ZB Block' (search on google for "ZB Block") on my WP sites for the past 18 months and it stops pretty much all the garbage at the front gate. It's a free gpl and I swear by it! In the past I've used Wordfence etc etc but nothing stacks up to this baby. It's easy to install. Additional IP sig files block countries such as ch,ru,ro,ua,in etc etc. In addition its saved me a heap of bandwidth and protected me against comment spammers and scrapers too.


Start discussion

Related Posts